On Monday, 1 July 2019 14:39:25 CEST John Crispin wrote:
> @@ -325,7 +353,7 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
> {
> if (!he_capab || !hapd->iconf->ieee80211ax ||
> !check_valid_he_mcs(hapd, he_capab, opmode) ||
> - he_capab_len > sizeof(struct ieee80211_he_capabilities)) {
> + ieee80211_check_he_cap_size(he_capab, he_capab_len)) {
> sta->flags &= ~WLAN_STA_HE;
> os_free(sta->he_capab);
> sta->he_capab = NULL;
> @@ -334,13 +362,13 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
>
> if (!sta->he_capab) {
> sta->he_capab =
> - os_zalloc(sizeof(struct ieee80211_he_capabilities));
> + os_zalloc(he_capab_len);
> if (!sta->he_capab)
> return WLAN_STATUS_UNSPECIFIED_FAILURE;
> }
>
> sta->flags |= WLAN_STA_HE;
> - os_memset(sta->he_capab, 0, sizeof(struct ieee80211_he_capabilities));
> + os_memset(sta->he_capab, 0, he_capab_len);
> os_memcpy(sta->he_capab, he_capab, he_capab_len);
> sta->he_capab_len = he_capab_len;
Isn't this creating the same sta->he_capab size uncertainty which Jouni
previously found in the old version of the patch [1].
Kind regards,
Sven
[1] https://patchwork.ozlabs.org/patch/1109462/Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
